download:

/attachments/1332055890374688901/1392228978437394492/AnyDesk.exe

Full analysis: https://app.any.run/tasks/7f014349-314c-4100-be2b-4ad2257f36f5
Verdict: Malicious activity
Analysis date: July 08, 2025, 19:41:18
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
anydesk
rmm-tool
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:

375458B10E0675AF170867C24F8919A6

SHA1:

CE09A075C397AB3C0A3F77EDF193067912C98C98

SHA256:

D491CBA96D705DC81D5FDF190D83C1B7409337E12C81A611339B5A0276B14528

SSDEEP:

98304:LzWmyNjwkw5od8UWMXw7hQyXP8kMB8M8AmxhVXzJ/7esKNiVwyxtAZZ0MhRUJuCl:GMDhfsby4e

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Application launched itself

      • AnyDesk.exe (PID: 2432)
      • AnyDesk.exe (PID: 4748)
      • AnyDesk.exe (PID: 5720)

    • ANYDESK has been found

      • AnyDesk.exe (PID: 2432)
      • AnyDesk.exe (PID: 4748)
      • AnyDesk.exe (PID: 5720)

    • ANYDESK mutex has been found

      • AnyDesk.exe (PID: 2432)
      • AnyDesk.exe (PID: 6868)
      • AnyDesk.exe (PID: 4748)
      • AnyDesk.exe (PID: 3648)
      • AnyDesk.exe (PID: 5720)
      • AnyDesk.exe (PID: 4788)

    • Connects to unusual port

      • AnyDesk.exe (PID: 4748)

    • Reads security settings of Internet Explorer

      • AnyDesk.exe (PID: 4748)

    • The process checks if it is being run in the virtual environment

      • AnyDesk.exe (PID: 4788)

    • Starts another process probably with elevated privileges via RUNAS.EXE

      • runas.exe (PID: 4052)
      • runas.exe (PID: 3540)
      • runas.exe (PID: 5084)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 3388)

  • INFO

    • The sample compiled with english language support

      • AnyDesk.exe (PID: 2432)

    • Reads the computer name

      • AnyDesk.exe (PID: 2432)
      • AnyDesk.exe (PID: 4748)
      • AnyDesk.exe (PID: 6868)
      • AnyDesk.exe (PID: 3648)
      • AnyDesk.exe (PID: 4788)
      • AnyDesk.exe (PID: 5720)

    • Checks supported languages

      • AnyDesk.exe (PID: 2432)
      • AnyDesk.exe (PID: 6868)
      • AnyDesk.exe (PID: 4748)
      • AnyDesk.exe (PID: 3648)
      • AnyDesk.exe (PID: 5720)
      • AnyDesk.exe (PID: 4788)

    • Process checks whether UAC notifications are on

      • AnyDesk.exe (PID: 2432)

    • Creates files or folders in the user directory

      • AnyDesk.exe (PID: 2432)
      • AnyDesk.exe (PID: 6868)
      • AnyDesk.exe (PID: 4748)
      • AnyDesk.exe (PID: 3648)
      • AnyDesk.exe (PID: 4788)

    • Reads the machine GUID from the registry

      • AnyDesk.exe (PID: 4748)
      • AnyDesk.exe (PID: 2432)

    • Reads CPU info

      • AnyDesk.exe (PID: 6868)

    • Checks proxy server information

      • AnyDesk.exe (PID: 6868)
      • slui.exe (PID: 2072)

    • Reads the software policy settings

      • slui.exe (PID: 2072)

    • Manual execution by a user

      • cmd.exe (PID: 1868)
      • cmd.exe (PID: 3388)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:02:13 15:00:36+00:00
ImageFileCharacteristics: Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 10
CodeSize: 10752
InitializedDataSize: 5603328
UninitializedDataSize: 18616832
EntryPoint: 0x1ce5
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 9.0.4.0
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Unknown (0)
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
CompanyName: AnyDesk Software GmbH
FileDescription: AnyDesk
FileVersion: 9.0.4
ProductName: AnyDesk
ProductVersion: 9
LegalCopyright: (C) 2025 AnyDesk Software GmbH
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
144
Monitored processes
16
Malicious processes
2
Suspicious processes
6

Behavior graph

Click at the process to see the details
start anydesk.exe no specs anydesk.exe anydesk.exe no specs slui.exe anydesk.exe no specs anydesk.exe anydesk.exe cmd.exe no specs conhost.exe no specs runas.exe no specs runas.exe no specs runas.exe no specs cmd.exe conhost.exe no specs wininit.exe no specs taskkill.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1868"C:\WINDOWS\system32\cmd.exe" C:\Windows\System32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\wldp.dll
2072C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
2348\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2432"C:\Users\admin\Desktop\AnyDesk.exe" C:\Users\admin\Desktop\AnyDesk.exeexplorer.exe
User:
admin
Company:
AnyDesk Software GmbH
Integrity Level:
MEDIUM
Description:
AnyDesk
Version:
9.0.4
Modules
Images
c:\users\admin\desktop\anydesk.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\winmm.dll
2508wininitC:\Windows\System32\wininit.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Start-Up Application
Exit code:
5
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wininit.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\profapi.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\dwminit.dll
3388"C:\WINDOWS\system32\cmd.exe" C:\Windows\System32\cmd.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\wldp.dll
3540runas cmd.exeC:\Windows\System32\runas.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Run As Utility
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\runas.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
3648"C:\Users\admin\Desktop\AnyDesk.exe" --backendC:\Users\admin\Desktop\AnyDesk.exeAnyDesk.exe
User:
admin
Company:
AnyDesk Software GmbH
Integrity Level:
MEDIUM
Description:
AnyDesk
Exit code:
0
Version:
9.0.4
Modules
Images
c:\users\admin\desktop\anydesk.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\winmm.dll
c:\windows\syswow64\msvcrt.dll
4052runas C:\Windows\System32\runas.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Run As Utility
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\runas.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
4748"C:\Users\admin\Desktop\AnyDesk.exe" --local-serviceC:\Users\admin\Desktop\AnyDesk.exe
AnyDesk.exe
User:
admin
Company:
AnyDesk Software GmbH
Integrity Level:
MEDIUM
Description:
AnyDesk
Version:
9.0.4
Modules
Images
c:\users\admin\desktop\anydesk.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\winmm.dll
Total events
6 871
Read events
6 871
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
5
Text files
344
Unknown types
0

Dropped files

PID
Process
Filename
Type
2432AnyDesk.exeC:\Users\admin\AppData\Roaming\AnyDesk\user.conf~RF1776c6.TMP
MD5:
SHA256:
2432AnyDesk.exeC:\Users\admin\AppData\Roaming\AnyDesk\user.conf~RF177704.TMP
MD5:
SHA256:
2432AnyDesk.exeC:\Users\admin\AppData\Roaming\AnyDesk\user.conf~RF177733.TMP
MD5:
SHA256:
2432AnyDesk.exeC:\Users\admin\AppData\Roaming\AnyDesk\user.conf~RF1777b0.TMP
MD5:
SHA256:
2432AnyDesk.exeC:\Users\admin\AppData\Roaming\AnyDesk\user.conf~RF1777c0.TMP
MD5:
SHA256:
4748AnyDesk.exeC:\Users\admin\AppData\Roaming\AnyDesk\system.conf~RF177975.TMP
MD5:
SHA256:
6868AnyDesk.exeC:\Users\admin\AppData\Roaming\AnyDesk\user.conf~RF1779a4.TMP
MD5:
SHA256:
6868AnyDesk.exeC:\Users\admin\AppData\Roaming\AnyDesk\user.conf~RF1779b4.TMP
MD5:
SHA256:
4748AnyDesk.exeC:\Users\admin\AppData\Roaming\AnyDesk\service.conf~RF177cb2.TMP
MD5:
SHA256:
4748AnyDesk.exeC:\Users\admin\AppData\Roaming\AnyDesk\system.conf~RF177cb2.TMP
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
126
TCP/UDP connections
82
DNS requests
28
Threats
5

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
svchost.exe
GET
200
23.216.77.21:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.216.77.21:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
23.216.77.21:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
69.192.161.161:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1268
svchost.exe
GET
200
69.192.161.161:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
69.192.161.161:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
304
172.202.163.200:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
GET
200
172.202.163.200:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
GET
200
40.69.42.241:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
23.216.77.21:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
23.216.77.21:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
23.216.77.21:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
69.192.161.161:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
1268
svchost.exe
69.192.161.161:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
69.192.161.161:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.104.136.2
whitelisted
google.com
  • 172.217.18.14
whitelisted
crl.microsoft.com
  • 23.216.77.21
  • 23.216.77.42
  • 23.216.77.41
  • 23.216.77.15
  • 23.216.77.36
  • 23.216.77.35
  • 23.216.77.5
  • 23.216.77.38
  • 23.216.77.7
  • 2.16.168.124
  • 2.16.168.114
whitelisted
www.microsoft.com
  • 69.192.161.161
  • 95.101.149.131
whitelisted
boot.net.anydesk.com
  • 37.59.29.33
  • 57.128.101.74
  • 57.128.101.75
  • 141.95.145.210
  • 195.181.174.174
  • 195.181.174.173
whitelisted
relay-5879a7fa.net.anydesk.com
  • 162.19.169.47
whitelisted
relay-32c13e22.net.anydesk.com
  • 57.128.101.81
whitelisted
relay-0704c0e0.net.anydesk.com
  • 208.115.231.138
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
slscr.update.microsoft.com
  • 172.202.163.200
whitelisted

Threats

PID
Process
Class
Message
2200
svchost.exe
Misc activity
ET REMOTE_ACCESS Anydesk Relay Domain (net .anydesk .com) in DNS Lookup
2200
svchost.exe
Misc activity
ET REMOTE_ACCESS Anydesk Domain (boot .net .anydesk .com) in DNS Lookup
2200
svchost.exe
Misc activity
ET REMOTE_ACCESS Anydesk Relay Domain (net .anydesk .com) in DNS Lookup
2200
svchost.exe
Misc activity
ET REMOTE_ACCESS Anydesk Relay Domain (net .anydesk .com) in DNS Lookup
2200
svchost.exe
Misc activity
ET REMOTE_ACCESS Anydesk Relay Domain (net .anydesk .com) in DNS Lookup
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
/attachments/1332055890374688901/1392228978437394492/AnyDesk.exe